1 / 24

Security Continued

Security Continued. Public Key Cryptography Double Encryption. Receiver. Sender. Transmitted data. Hello. This is my message that must be kept secret. Hello. This is my message that must be kept secret. 12ga;jey ck027jc;L;sajckjyfrasbiiop[pa2354mghdas. Sender’s private Key.

saman
Download Presentation

Security Continued

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SecurityContinued Grid Computing, B. Wilkinson, 2004

  2. Public Key CryptographyDouble Encryption Receiver Sender Transmitted data Hello. This is my message that must be kept secret Hello. This is my message that must be kept secret 12ga;jey ck027jc;L;sajckjyfrasbiiop[pa2354mghdas Sender’s private Key Receiver’s private Key Sender’s public key Original data Original data Receiver’s public key Slow but secure. Grid Computing, B. Wilkinson, 2004

  3. Question Why is single encryption with receiver’s public key/single decryption with receiver’s private key (slide 5-19) not sufficient? Answer Grid Computing, B. Wilkinson, 2004

  4. Public Key and Secret Key Cryptography • Public Key and Secret Key Cryptography generally used together. • Public key Cryptography with Certificates and a Certificate Authority (CA) used to establish a secure authenticated connection between parties. Then: • Secret key passed between parties. • Secret key cryptography used to encrypt data, which is much faster than public key cryptography. Grid Computing, B. Wilkinson, 2004

  5. Use of Public Key Infrastructure(PKI) • Several network protocols have embedded public key and/or secret key cryptographic algorithms. • Most notable is SSL (described in slides5), which can be added on top of protocols such as http (i.e. https), FTP (sftp), and telnet. Grid Computing, B. Wilkinson, 2004

  6. Others include: • For secure email - S/MIME (Secure Multipurpose Internet Mail Extensions) developed by RSA Data Security Inc, see: http://www.rsa.com/smime • For secure e-commerce - SET (Secure Electronic Transaction), developed jointly by Visa, Mastercard, IBM , and other companies, for secure credit card transactions over the Internet, see: http://www.setco.org Grid Computing, B. Wilkinson, 2004

  7. Certificate Authorities • Commercial Certificate Authorities exist, such as: • VeriSign Inc. • Entrust Technologies Inc., • Web browsers have built-in recognition such trusted CAs, allowing SSL and other secure connections. Grid Computing, B. Wilkinson, 2004

  8. General Public Key Infrastructure From: “Deploying a Public Key Infrastructure,” IBM Redbook, SG24-5512-00. Grid Computing, B. Wilkinson, 2004

  9. Certificate Repository • Used to store: • Issued certificates • Revoked certificates (CRLs - Certificate Revocation List) • Might be accessed through LDAP (Lightweight Directory Access Protocol) Grid Computing, B. Wilkinson, 2004

  10. Registration Authority • Acts for CA for some management functions (see IBM Redbooks). • Not strictly necessary as CA could do all functions. Grid Computing, B. Wilkinson, 2004

  11. Certificate CA’s X-500 name CA’s public key CA’s digital signature CA’s own certificate CA needs it own certificate identify itself • First it generates key pair. • It protect its private key. (This is vitally important!) • It then creates a certificate and signs it with its private key: Grid Computing, B. Wilkinson, 2004

  12. Requesting a certificate from a CA • Usually the requesting client generates a public/private key pair and then submits an unsigned certificate to the CA. • The certificate returned signed by the CA contains the public key. Grid Computing, B. Wilkinson, 2004

  13. Question Why usually does the CA not generate the public/private key pair for the requester? Answer Because it would require the private key to be sent to the requester. If the requester generates the private key, it is more secure as it does not leave requester. Grid Computing, B. Wilkinson, 2004

  14. Using a signed certificate to send a secure message • One can attached it to your message. • Alternatively, the message is sent without a certificate and the receiver has to retrieve the certificate from a public place. Either way, the receiver checks the signature. It has to be CA it can trust. Grid Computing, B. Wilkinson, 2004

  15. CertificateLifetime • Certificates have a limited lifetime for security purposes, i. e. certificates are issued with an expiration date. • Have a renewal process but user will normally have same public/private key pair. Grid Computing, B. Wilkinson, 2004

  16. Certificate Authorityfor Grid Computing • Usually a certificate authority is created for the specific grid computing environment. • Globus has “simple” implementation called simpleCA. Grid Computing, B. Wilkinson, 2004

  17. Grid Users • After Certificate Authority established for the grid, users have to register with grid CA. • This was done for each account provided at WCU, so users did not have to do anything. • In general, users joining a grid from geographically dispersed locations must communicate with the CA system administrator to verify their identity and to get a certificate. • Communication often done by email. Grid Computing, B. Wilkinson, 2004

  18. Globus Interaction with Certificate Authority This step done by email or a more a secure way. Grid Security Infrastructure From: “Introduction to Grid Computing with Globus,” IBM Redbooks, SG24-6895-012003, Fig. 3-3. Grid Computing, B. Wilkinson, 2004

  19. Grid Computers • Computers added to a grid (donors) preferably need their identity verified in a similar fashion. • Computers registered with certificate authority - only those machines will be allowed to participate in the grid activities. • Computers might be used under a certain access rights. Grid Computing, B. Wilkinson, 2004

  20. GSI Authentication/Authorization FunctionsCommunicating from Host A to Host B • From host A to host B: • Host A send its certificate to Host B • Host B gets Host A’s public key and name using CA’s public key. • Host B creates a random number and sends it to Host A. • Host A encrypts random number with its private key and sends it to host B. • Host B decrypts number and checks number. If correct, Host B authenticates host A’s certificate. Grid Computing, B. Wilkinson, 2004

  21. From: “Introduction to Grid Computing with Globus,” IBM Redbooks, SG24-6895-012003, Fig. 3-4. Grid Computing, B. Wilkinson, 2004

  22. Proxies • Proxy needed to delegate authority to another host, say host C through host B, where the proxy will act on your behalf. • Rather a large number of steps. Grid Computing, B. Wilkinson, 2004

  23. From: “Introduction to Grid Computing with Globus,” IBM Redbooks, SG24-6895-012003, Fig. 3-5. Grid Computing, B. Wilkinson, 2004

  24. Proxies used to authenticate users and run user programs on grid. • Proxy created with grid-proxy-int command. • We shall see a use of this in assignment 3. Next task is assignment 2. Grid Computing, B. Wilkinson, 2004

More Related